Shell script containing passwords.

[Eric F Crist]

On Tuesday 10 February 2004 09:28 am, Lewis Thompson wrote:
> On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote:
> > Lewis Thompson <purple at lewiz.net> writes:
> > >   I am worried that because the script must be read/writeable by the
> > > Apache user (www) that anybody that can write a PHP script on my
> > > machine can read the auth script and read the passwords that would be
> > > contained within -- those to my MySQL server.
> >
> > Why would the script be readable or writeable by any user?
> > It only needs to be executable, right?
>
> Well, since it's an interpreted script (it's some standalone PHP) in
> order to execute it, the user must be able to read it.  Since the script
> holds passwds that means that any user with the ability to run it can
> get the passwds (in my case to access my MySQL server).
>
>   This is a ``flaw'' with the way Apache works because everything Apache
> executes must be +rw for the Apache user (www).  As a result any person
> able to write PHP code (all of my users) can read anything that the
> Apache user can, because mod_php executes as the Apache user.
>
>   There are security features in PHP (safe_mode) but these conflict with
> a large number of PHP scripts.  I'm trying to work it out this way now
> but it's a lot of hassle.
>
>   Thanks for your response,
>
> -lewiz.

Check the syntax for the .htaccess files in the httpd.conf file.  This is a 
file that must be non-readable by regular users via php, but apache has a 
filter written within the httpd.conf file to disallow access.  I know it's 
about 3/4 of the way down the page.

HTH

-- 
Eric F Crist
AdTech Integrated Systems, Inc
(612) 998-3588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040210/5f7346fe/attachment.bin